E-commerce won't grind to a halt because of it, but the strict data privacy protection plan implemented by the European Union (EU) on Sunday is likely to cause some trepidation in US companies -- and the fallout could eventually be significant.
The EU directive prohibits the buying and selling of personal data about European citizens, and mandates that Web sites tell users when data about them is collected and allows users to refuse disclosure. It is aimed at restricting the flow of information about Europeans to companies based in countries with more lax privacy standards, including the US. EU officials adopted the directive three years ago, and so far six of the 15 EU member nations have passed laws based on it. European law requires each member state to implement such a law, but the directive was set to go into effect this week regardless of whether all EU governments had done so.
The directive could theoretically empower European nations to halt marketing firms, banks, credit card companies and US firms with offices in Europe from sending personal data about European customers, clients or workers to the US, although such a drastic step is unlikely, observers said. But looming ahead is an escalation in the already-divisive argument that could have implications for US trade policy, experts said.
"I think in the short term, there will be no significant impact, but over the long term, there could be very serious implications for US companies," said Marc Rotenberg, executive director of the Electronic Privacy Information Centre (EPIC) in Washington, DC. Initially, the EU plan aims to give consumers ammunition against companies that misuse their personal data, he said. "What this is about is empowering European citizens" in the event their financial or medical data ends up in the wrong hands, Rotenberg said.
Negotiations are ongoing between the US Department of Commerce and EU officials aimed at forging a compromise plan to shield businesses from litigation as long as they follow basic data privacy practices, said Cheryl Mendonsa, director of strategic planning for the Commerce Department's Office of Technology Policy. "Probably nothing will happen until those talks conclude, but companies need to take a hard look at the directive to see if they are at least generally in compliance," said Susan Scott, executive director of TRUSTe, a non-profit online privacy initiative.
The EU was set to update the Commerce Department today on its member states' positions on the directive, Scott said. While Germany's government, for example, has an agency devoted to protecting the privacy of its citizens, US privacy laws vary from state to state. Federal privacy rules are now limited to those aimed at specific industries, such as the banking industry. This could ultimately change if EU member states push for strict adherence to the directive, said Barry Steinhardt, president of the Electronic Frontier Foundation (EFF). "We could end up in some serious trade spats over this," Steinhardt said. "The onus is really on the US government to pass laws that would bring American companies more in line with the European guidelines." While the European Union can't order the US to pass laws, "it can tell companies doing business in Europe that they have to conform to certain privacy standards," a mandate which could force changes in US law if American companies hope to compete overseas, Steinhardt said.
The Clinton administration has pushed for a compromise for months, but European officials have dug in their heels, he said. Many American companies, too, have ignored the issue, as the Federal Trade Commission said in its June 4 report to Congress. "The EU privacy directive has been the dead horse in the room that no one has wanted to talk about," Steinhardt said.
The directive gives Europeans the right to: Know how data about them will be used by Web sites or off-line marketers. Have access to the data and to correct it. Refuse the sale or sharing of their personal data with online or off-line companies. File suit against any company or marketer which violates these principles.